A recent article in the New York Times Dealbook column reported on phone number hijacking, in which a bad guy fraudulently takes over someone's mobile phone number and used it to reset credentials and drain the victim's account. It happens a lot, even to the chief technologist of the FTC. This reminds us that security is hard, and understanding two-factor authentication is harder than it seems.

The usual definition of two-factor is to pick two different items from a list of security types:

Something you know, like a password

Something you have, like a physical key

Something you are, like your fingerprint

A mobile phone is something you have, but the number assigned to that phone is not, more like something you rent. Just about every account that has two-factor authentication can use a phone as one of those factors, but there are a lot of different ways to use the phone that have very different security profiles, particularly when you consider the ways they can fail if your phone breaks or is lost or stolen.

One common way is to send a text message with a one-time code you enter when you log into the account, or occasionally a voice call that reads the number to you. That fails if someone hijacks your phone number but is fairly robust if your phone breaks or is stolen. Assuming you set a password or lock pattern on your phone, incoming texts usually show that there's a text waiting, but not the contents of the text. Recovering is straightforward, get a new phone and move the number to it. (If the phone broke, this can be as simple as moving the SIM card to a new phone.)

The other approach is to use the phone itself to generate one time codes, using what's known as Time-based One-time Password Algorithms (TOTP.) Some businesses such as my bank provide their own apps to generate the codes, but most use a standard scheme defined in IETF RFC 6238. The best known standard TOTP programs are Google Authenticator and Microsoft Authenticator, but there are many others. If you lose the phone, again the phone password protects against other people getting your codes, but recovery is a pain since once you get a new phone, even with the same phone number, you have to install the TOTP program anew and reset all the accounts that used the old TOTP program.

Except actually, you don't. The usual way to set up a TOTP is that the business shows you a QR code on your laptop or desktop screen which the TOTP program scans. A TOTP isn't so much something you have as something your phone app knows. For each account that uses a TOTP, the app uses a fixed key contained in the QR code, which you can generally also get as a string of letters if you don't have a camera to scan the QR code. Since the TOTP algorithm is standardized, you can put that fixed key in as many places as you want. When I set up a new TOTP code, I scan it on my phone, my tablet, and I put letter string in a file I keep offline. So if I lose my phone I can use the tablet to log in, and when I get a new phone I can enter the key strings into the TOTP app on the new phone and the accounts to which they're linked are none the wiser.

So this means that even though TOTP code generator seems like something you have, it's really something your app knows, or if you're good at memorizing random character strings, something you know, too.

The other common technique is to send e-mail, which you read on your phone, or anywhere else you read mail. Sometimes the e-mail has a one-time code, but more often it's for password resets. Mail accounts, particularly if they're at free providers, are if anything easier to hijack than phone numbers. Large providers have entire departments to deal with account recovery, and staff that spends much of their time trying to figure out which recovery requests are real and which are hijacks. If your account is at a paid provider, it's probably somewhat more secure (they have a pretty good idea who you are if you pay with a credit card) but even so, any support desk can be the target of a social engineering attack to steal your account.

None of this is to say that two-factor authentication is a bad idea, but it does say that you should think about how valuable your accounts are and protect them accordingly. If I had a really valuable account protected by TOTP, I'd consider using a device that only runs the TOTP application (an $20 used phone would do, preferably not activated) and put it in my safe deposit box, along with a printout of the TOTP key. For accounts that have those inane recovery questions, my high school mascot is uoxuxtxehwkhaaulyxthtwppx, my mother's maiden name is vbtupbslwoxkkbdkxasvezppq, and my favorite color is exbuqkgcihzgmemnyrghyctmx, also printed out and put in a safe place. You get the idea.

By John Levine, Author, Consultant & Speaker. More blog posts from John Levine can also be read here.

Comments

I do that to. When calling a bank, the curious bank rep asked how to pronounce my mothers maiden name. I was surprised by the question and told them it was just a string of random characters .... The fact that they could read it made clear the data is plain text for there reps to read and thus steal, etc. Its only secure data if its between the banks computers and myself with no third party access.

>the chief technologist of the FTC

His PIN comments are incorrect as well. Skipping lots of details, some months ago I tried out Verizon phone service using a new number and phone obtained through Best Buy. The bill I soon received was three times higher than I was told it would be. Being more than a little annoyed I toss out all related account docs, called them up and canceled my account. It took MONTHS for them to close the account and stop charging me! In the finally call they asked for my PIN which I no longer had and told them so. I made clear at this point their confirmation of previous call notes, etc, should only require them to do what they promised and no challenge who I am. They finally closed the account. The moral of the story is the PIN code for Verizon is a human procedural step where they can see the PIN and thus ignore it as if the customer did provide it. In my case this was good, but if I was trying to socially engineer them this would be very bad.

So long as a human is in the loop and making all the decisions two factors authentication is meaningless.

And without naming the Domain Name Registry, many years ago I went to submit an IP update for our registrar. The form asked me for our registrars Pass Code as part of the form. Previously I always called in our IP updates to a human and thus avoided the form, but this time they demanded the form .... Which was a non-secure HTTP page!!! I then called tech support back and complained that it was totally unacceptable to request a registrar's pass code on an insecure form. I was told "You are the only one complaining, use the form". Fortunately I knew one of the higher up in the organization and immediately contacted them. The form was immediately removed (for a week as they updating the HTTPS) and I was assured that tech support person would be receiving "retraining" .... Since calling that registry that support person has never answered the phone.

So the next issue is how such information is handled between end points by the service provider. Frankly so call "anonymous" has never achieved any hacking success a privileged tech support person could not do with a packet sniffer on a major internet transit hub. The media presents the illusion that security is all about the end points, totally ignoring all the links in between where a "hacker" using a packet sniffer has trivial undetectable access to data such as ftp password, email recovering emails, and unsecured registrar update forms, and far more.

An alternative to SMS or phone apps is for the server to make a voice call to the ptoential user and wait for a PIN. Then if the phone or phone number is stolen, security is maintained since the thief won't have the PIN. Since the PIN and the password travel over separate networks, it won't be easy to steal both. At least one vendor (Duo Security) of 2-factor solutions offers this service, although they don't emphasize it. It has the advantage also that an ordinary desk phone can be made the target, which can be used to restrict access further.

Mobile Internet

DNS Security

IP Addressing

Promoted Posts

ACCELR/8 is a transformative IPv4 market solution developed by industry veterans Marc Lindsey and Janine Goodman that enables organizations buying or selling blocks as small as /20s to keep pace with the evolving demands of the market by applying processes that have delivered value for many of the largest market participants. more»